Control room for nuclear power plant

ABSTRACT

A reactor control interface includes a home screen video display unit (VDU) displaying blocks representing functional components of a nuclear power plant and connecting arrows that connect blocks that are providing the current heat sinking path for the nuclear power plant. Directions of the connecting arrows represent the direction of heat flow along the current heat sinking path. If the current heat flow path of the plant changes, the connecting arrows are updated accordingly. Additional VDUs include: a mimic VDU displaying a mimic of a plant component; a procedures VDU displaying a stored procedure executable by the plant; a multi-trend VDU trending various plant data; and an alarms VDU displaying side-by-side alarms registries sorted by time and priority respectively. If a VDU fails, the displays are shifted to free up one VDU to present the display of the failed VDU, and one display is shifted to an additional VDU.

CLAIM OF PRIORITY

This application is a division of U.S. application Ser. No. 13/861,004filed on Apr. 11, 2013, now U.S. Pat. No. 10,446,280, which claims thebenefit of U.S. Provisional Application No. 61/625,740, filed Apr. 18,2012, the disclosures of which are hereby incorporated by reference intheir entirety.

BACKGROUND

The following relates to the nuclear reactor arts, nuclear powergeneration arts, nuclear reactor control arts, nuclear reactorhuman-machine interface (HMI) arts, and related arts.

Nuclear power plants are highly complex and include numerous systems toensure safe operation. By way of illustrative example, a typical nuclearpower plant employing a pressurized water reactor (PWR) includes: thenuclear reactor containing a nuclear reactor core comprising fissilematerial (e.g. ²³⁵U) immersed in primary coolant water and ancillarycomponents such as a pressurizer and reactor coolant pumps (RCPs); acontrol rod drive system including control rods, control rod drivemechanisms (CRDMS) and ancillary components designed to insertneutron-absorbing control rods into the nuclear reactor core toextinguish the nuclear chain reaction (either during normal shutdown,e.g. for refueling, or in response to an abnormal condition, i.e. ascram); a steam generator in which primary coolant heats secondarycoolant to generate steam; a turbine driven by the steam; an electricgenerator turned by the turbine to generate electricity; a complexswitchyard providing the circuitry to couple the output of the generatorto an external electric grid; a condenser for condensing the steam;piping with valving and ancillary components for conducting feedwaterand steam between the various components; one or (typically) more houseelectrical systems for providing electrical power to the RCPs and otherelectrically driven components; backup power sources (typically dieselgenerators and batteries); an emergency core cooling system (EGGS) todissipate residual heat still generated by the nuclear reactor coreafter shutdown of the chain reaction; ancillary cooling water systemssupplying components such as the condenser; and so forth. A boilingwater reactor (BWR) is similar, except that in a BWR primary coolantboils in the pressure vessel and directly drives the turbine. Thesenumerous systems interact with one another. A malfunction of onecomponent may trigger responses by other systems, and/or may call forthe operator to perform certain operations in response to themalfunction.

Existing control rooms for nuclear power plants typically include acontrol panel for each component, sub-system, or other operational unit.The resulting layout is unwieldy, including numerous control panels withtypically dozens of video display units (VDUs) along with additionalindicator lights, and various operator controls such as touch-screen VDUinterfaces along with switches, buttons, and so forth. The controlpanels are arranged to form a horseshoe-shaped arc of about 90° orlarger, and inside of this arc further control panels are installed asbench boards. These vertical and bench-mounted control panels includereadout displays, indicators, and controls for all components, valves,electrical switches, circuit breakers, piping, and so forth. The arcedconfiguration enables an operator at the controls (OATC) to view allcontrols simultaneously or with a small turn to the left or right.Substantial effort has been expended in optimizing control roomergonomics, for example by placing the most critical and/or frequentlyused control panels near the center of the arc. The VDUs are typicallydesignated as safety- or non-safety related, with usually around a dozensafety-related VDUs near the center of the arc or at centrally locatedbench boards, and the two dozen or more non-safety related VDUsdistributed around the periphery.

Nonetheless, the control room is complex. A staff of five or more humanoperators is usually required around the clock. Response to a givensituation may require accessing several control panels, which may belocated at different places along the vertical arc and/or at differentbench boards. When an abnormal situation arises, it typically results innumerous alarms being set off at various control panels associated withthe various components affected by the abnormal situation. One (orpossibly more) alarm indicates the “root cause” of the abnormalsituation, while the other alarms indicate various automated responsesto the root cause, consequent operational deviations, or additionalproblems triggered by the root cause. For example, a failure of thecondenser will cause automated shutdown of the turbine, interrupts thesteam flow, trips the reactor and brings the EGOS online; and, asfurther consequences reactor pressure and temperature likely will riseand various electrical systems may also react. Each of these events isunusual and generates an alarm, and this cascade of alarms occurs over arelatively short time interval, with some alarms activating almostsimultaneously from the operators' point of view. The on-site humanoperators then confer to decipher the sequence of events that have ledto these alarms, and agree upon appropriate remedial action. In makingthe diagnosis, operators may need to move around the control room toreview various control panels. Yet, operator response should be swift toalleviate the abnormal situation. Any error in diagnosing the root causemay result in incorrect remedial action which can delay resolution ofthe root cause and may possibly introduce further problems.

Disclosed herein are improvements that provide various benefits thatwill become apparent to the skilled artisan upon reading the following.

BRIEF SUMMARY

In accordance with one aspect, a reactor control interface comprises ahome screen video display unit (VDU) configured to display: blocksrepresenting functional components of a nuclear power plant including atleast (i) blocks representing functional components of a normal heatsinking path of the nuclear power plant and (ii) blocks representingfunctional components of at least one remedial heat sinking path of thenuclear power plant, and connecting arrows of a first type connectingblocks that are providing the current heat sinking path whereindirections of the connecting arrows of the first type represent thedirection of heat flow along the current heat sinking path.

In accordance with another aspect, a method operates in conjunction withvideo display units (VDUs) of a reactor control interface wherein theVDUs include a group of safety VDUs and an additional VDU that is not asafety VDU. The method comprises: detecting a malfunctioning safety VDU,the remaining safety VDUs being functioning safety VDUs; shifting thedisplays of the functioning safety VDUs to free up one of thefunctioning safety VDUs wherein the shifting transfers the display ofone of the functioning safety VDUs to the additional VDU that is not asafety VDU; and transferring the display of the malfunctioning safetyVDU to the functioning safety VDU freed up by the shifting.

In accordance with another aspect, a non-transitory storage mediumstores instructions executable by an electronic data processing devicein communication with a video display unit (VDU) to perform a methodcomprising: displaying a home screen representing a nuclear power plant,the home screen including blocks representing functional components ofthe nuclear power plant including at least (i) blocks representingfunctional components of a normal heat sinking path of the nuclear powerplant and (ii) blocks representing functional components of at least oneremedial heat sinking path of the nuclear power plant, and connectingarrows of a first type connecting blocks that are providing the currentheat sinking path wherein directions of the connecting arrows of thefirst type represent the direction of heat flow along the current heatsinking path; and in response to the nuclear power plant transitioningto a different heat sinking path, updating the connecting arrows of thefirst type by deleting and adding connecting arrows of the first type sothat the updated connecting arrows of the first type represent thedifferent heat sinking path.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention may take form in various components and arrangements ofcomponents, and in various process operations and arrangements ofprocess operations. The drawings are only for purposes of illustratingpreferred embodiments and are not to be construed as limiting theinvention.

FIG. 1 diagrammatically shows a nuclear power plant and its control roomincluding a set of monitoring and control video display units (VDUs).

FIG. 2 shows the home screen displayed on VDU5 of FIG. 1 during normaloperation.

FIGS. 3-5 shows updates of the home screen of FIG. 2 during an abnormalevent in which the condenser goes offline (FIG. 3), the reactor scrams(FIG. 4), and the emergency core cooling system comes online (FIG. 5).

FIG. 6 shows the alarm register displayed on VDU1 of FIG. 1 concurrentlywith the home screen shown in FIG. 5.

FIG. 7 diagrammatically shows a multi-trend display suitably shown onVDU2 of FIG. 1.

FIG. 8 diagrammatically shows a mimic display suitably shown on VDU3 ofFIG. 1.

FIG. 9 diagrammatically shows a components/procedure display suitablyshown on VDU4 of FIG. 1.

FIGS. 10 and 11 diagrammatically show an illustrative failure of VDU4(FIG. 10) and a shifted display arrangement that compensates for thedefective VDU4 (FIG. 11).

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Disclosed herein are improved control room designs that substantiallyenhance the effectiveness of the nuclear power plant operators.

In existing control rooms for nuclear power plants, a large number ofVDUs (e.g. 30, 40, or even more VDUs) are employed in order to ensurethat all relevant data are displayed at all times. However, it isrecognized herein that the large number of VDUs can actually reduceoperator effectiveness because it is not possible for the operator (oreven a crew of five, six, or more operators) to monitor all VDUssimultaneously. Moreover, the large area over which this large number ofVDUs must be distributed requires operators to move about the controlroom in order to view the various VDUs. In control room embodimentsdisclosed herein, this large multiplicity of VDUs is replaced by asmaller number of VDUs, e.g. about 5-7 VDUs.

To accomplish this, it is necessary to employ hidden windows. In otherwords, not all the information of the conventional 30, 40, or more VDUscan be displayed on the 5-7 VDUs of the disclosed control roomembodiments. Nonetheless, all vital information must be displayed sothat it is guaranteed that there is no possibility that the operator atthe controls (OATC) will miss a safety-related event. To achieve thisfail-safe display of all vital information, it is disclosed herein toprovide a main display that focuses operator attention on the overridingconcern of maintaining a safe heat sinking path for the nuclear reactorcore. It is recognized herein that this single aspect of nuclear powerplant operation captures all possible safety-related events.

In normal operation, the heat sinking path for a pressurized waterreactor (PWR) is the following steam cycle (where “RCS” is “reactorcoolant system”, “PC” is “primary coolant”, and “SC” is “secondarycoolant”):

-   -   Nuclear core→RCS→SC feedwater→SC steam→turbine→condenser        where the condenser converts the secondary coolant steam back to        secondary coolant feedwater while rejecting heat to circulating        water. Heat is also rejected to the electric generator by action        of the turbine—a portion of this heat is converted to        electricity while the remainder is converted to heat in the        generator. A small portion of heat is also rejected in the        turbine itself, resulting in some steam condensation inside the        turbine, and the condensate is also fed back to the secondary        coolant feedwater system. The steam cycle of a boiling water        reactor (BWR) is similar, except that there is no for steam        generator and primary coolant boiled in the pressure vessel        directly drives the turbine:    -   Nuclear core→RCS→PC steam→turbine→condenser

In any deviation from normal operation, a safe heat sinking path must bemaintained. For example, if the primary coolant exceeds a safethreshold, the reactor scrams and the emergency core cooling system(EGGS) takes over to reject residual heat from the shut-down nuclearreactor to an ultimate heat sink (UHS) in the form of a large body ofwater, cooling tower, or so forth. Here the safe heat sinking path (forboth PWR and BWR) is:

-   -   Nuclear core→RCS→ECCS→UHS        Note that here the heat being generated in the reactor core is        not due to an operating nuclear chain reaction (that having been        extinguished by the scram and possibly by other measures such as        injection of soluble boron neutron poison), but rather is due to        residual decay heat produced as short half-life reaction        byproducts decay. As another example, in the case of a loss of        coolant accident (LOCA) the reactor again scrams, and the safe        heat sinking path for the residual decay heat is:    -   Nuclear core→RCS→Containment→ . . . →(UHS or ambient)        In this situation, the LOCA vents primary coolant steam into the        containment. The containment prevents any radiological release.        Some type of containment cooling system (indicated by the        ellipsis “ . . . ” in the heat sinking path) transfers heat from        containment to either the ultimate heat sink or to the ambient        air (or both). This heat sinking path may operate in parallel        with the heat sinking path through the ECCS.

In one nuclear reactor design currently under development (the B&WmPower™ small modular reactor) another contemplated safe heat sinkingpath employs an auxiliary condenser (“AUX”):

Nuclear core→RCS→Steam generator→AUX→ambient

In this design, the auxiliary condenser is located outside containment(e.g., a roof-mounted condenser) and is air-cooled by battery-operatedfans. The auxiliary condenser is connected with the steam generator,which is internal to the pressure vessel in the mPower™ design (i.e., anintegral PWR), so that it provides passive cooling using secondarycoolant trapped in the steam generator when main feedwater and steamline valves are shut. In some event scenarios it is contemplated toemploy this heat sinking path without scram. It is also contemplated toemploy this heat sinking path in combination with heat sinking via theECCS.

The disclosed control room embodiments employ a main or “home” displaythat is always maintained on a designated VDU. The home display is afunctional display of the heat sinking path. The home display does notattempt to show individual valves or other details (although it iscontemplated in some embodiments to include one or more principalvalves, e.g. main steam and feedwater valves), but rather representsfunctional blocks. By way of illustrative example, the turbine system issuitably represented as a single block labeled “Turbine” (or anotherintuitive label).

Similarly, the steam system (piping, valves, et cetera) conveying steamfrom the steam generator to the turbine is represented by a functionalblock labeled “Steam”, without attempting to display individual pipes orvalves. Any noteworthy excursion of the heat sinking path away from itsnormal operational envelope is highlighted on the home display by adistinctive color and/or another attention-grabbing visual effect (e.g.,flashing, boldface, et cetera). This highlighting identifies thefunctional component that is in an abnormal condition. Components thatperform a normal remedial response are highlighted in a different color(and/or other different visual effect) to emphasize that they haveresponded. In this way, the operator at the controls can immediatelyidentify the root cause of the operational excursion, and can alsoreadily recognize components that are responding normally to theexcursion.

Additional VDUs of the disclosed control room embodiments provideadditional information. In the illustrative embodiments, theseadditional VDUs provide alarm displays and trend displays. Further VDUsof the disclosed control room embodiments provide control capability. Inthe illustrative embodiments, these include a procedures/componentsdisplay and a system mimic display. The procedures/components displayenables operations at the procedure-level or component system level, anddisplays only those procedures that can be performed given the currentoperational state of the nuclear power plant. The system mimic displayprovides lower-level control of individual valves and so forth. TheseVDUs are optionally touch-sensitive or include a pointer-based userinput device (e.g. mouse, trackpad, et cetera) and operativelyinterconnected so that, for example, by touching (or selecting via amouse) the “Turbine” block on the VDU displaying home screen the turbinemimic is brought up on the mimic display.

Optionally, one or more further VDUs provide human-machine interfacingfor non-safety related components and systems. In one embodiment, a“non-safety related” component or system is one in which any eventoccurring in that component or system cannot result in a safety-relatedoperational excursion for at least one hour.

Because the disclosed control room embodiments rely upon only a fewVDUs, failure of a VDU can be problematic. In some disclosedembodiments, this is addressed using a VDU-shifting scheme by which thedisplay of the failed VDU is shifted to another VDU.

Starting with reference to FIG. 1, some illustrative embodiments aredescribed. An illustrative nuclear reactor 1 is of the pressurized waterreactor (PWR) type, and includes a pressure vessel 2 comprising an uppervessel and a lower vessel joined by a mid-flange. The pressure vessel 2houses a nuclear reactor core 4 comprising fissile material, e.g. 235Uimmersed in primary coolant water. Reactivity control is provided by acontrol rods system that includes control rod drive mechanisms (CRDMs) 6and control rod guide frame supports 8. The illustrative CRDMs 6 areinternal CRDMs disposed inside the pressure vessel and including CRDMmotors 6 m disposed inside the pressure vessel; however, external CRDMswith motors mounted above the pressure vessel and connected via tubularpressure boundary extensions are also contemplated. The pressure vesselof the operating PWR contains circulating primary coolant water thatflows upward through the nuclear reactor core 4 and through acylindrical central riser 10, discharges at the top of the central riser10 and flows back downward through a downcomer annulus 12 definedbetween the pressure vessel and the central riser to complete theprimary coolant circuit. In the illustrative PWR, primary coolantcirculation is driven by reactor coolant pumps (RCPs) 14 which may belocated where illustrated in FIG. 1 or elsewhere; moreover, naturalcirculation or the use of internal RCPs disposed inside the pressurevessel is also contemplated. Pressure inside the pressure vessel of theillustrative PWR is maintained by heating or cooling a steam bubbledisposed in an integral pressurizer volume 16 of an integral pressurizer17; alternatively, an external pressurizer can be connected with thepressure vessel by piping. The illustrative PWR is an integral PWR inwhich a steam generator (or plurality of steam generators) 18 isdisposed inside the pressure vessel, and specifically in the downcomerannulus 12 in the illustrative PWR; alternatively, an external steamgenerator can be employed. In the illustrative integral PWR, secondarycoolant in the form of feedwater is input to the steam generator 18 viaa feedwater inlet 20, and secondary coolant in the form of generatedsteam exits via a steam outlet 21. In the alternative case of anexternal steam generator, the ports 20, 21 would be replaced by primarycoolant inlet and outlet ports feeding the external steam generator. ThePWR 1 is disposed inside a primary containment 22, which is suitably asteel structure, steel-reinforced concrete structure, or the like.

With continuing reference to FIG. 1, the steam outlet 21 of the nuclearreactor delivers steam to a steam line 24 that drives a turbine 26 thatturns an electric generator 28 so as to generate electricity that isdelivered to an electrical switchyard 30 that feeds an electrical grid(not shown). Steam flows from the turbine 26 into a condenser 32 thatcondenses the steam to generate feedwater that is delivered by afeedwater line 34 to the feedwater inlet 20 of the steam generator 18 ofthe integral PWR so as to complete the steam cycle. Condensate generatedinside the turbine 26 is also recaptured and added to the feedwater, asindicated by an arrow running from the turbine 26 to the feedwater line34. The turbine 26, electric generator 28, and condenser 32 aretypically housed inside a turbine building 36 (although in someembodiments the condenser may be mounted on top of the turbine building,and other variants are contemplated). In addition to feeding theswitchyard 30, the electric generator 28 also delivers house electricityfor running pumps, monitors, and other components of the nuclear reactorplant. In the diagrammatically illustrated BOP, the generator 28 feeds amedium voltage a.c. power system 40 which in turn powers a low voltagea.c. power system 42, which in turn powers a d.c. power system 44 thatdrives a vital a.c. power system 46.

It is to be understood that the illustrative nuclear power plant of FIG.1 is an illustrative example. The disclosed nuclear power plant controlroom designs are suitably employed in conjunction with an integralPWR-based plant (as illustrated), or with a PWR-based plant employing anexternal generator, or with a boiling water reactor (BWR) based plant.In the case of a PWR with an external steam generator, the steamgenerator is typically housed inside containment with the pressurevessel so that the steam line 24 and contents of the turbine building 36remain as illustrated. In the case of a BWR, there is no steamgenerator; instead, primary coolant boils inside the pressure vessel andis ported out the steam line. In the case of a BWR, the turbine andother steam-handling components are constructed to accommodate potentialradioactive contaminants in the steam, which is primary coolant water inthe BWR case.

With continuing reference to FIG. 1, the nuclear power plant iscontrolled via a control room 50. FIG. 1 is diagrammatic and does notshow the actual physical layout of the nuclear power plant; however, ina typical embodiment a reactor building (not shown) houses thecontainment 22 (which in turn houses the PWR 1) and the control room 50,while the turbine building 36 is spatially separated by some distance,e.g. a few meters to a few tens or hundreds of meters. As the steam andfeedwater lines 24, 34 run between containment 22 and the turbinebuilding 36, keeping the separation relatively short reduces thermallosses in these lines. In the control room, an operator at the controls(OATC) is a human operator who performs control functions via a controlstation that includes six video display units VDU1, VDU2, VDU3, VDU4,VDU5, VDU6. The six video display units VDU1, VDU2, VDU3, VDU4, VDU5,VDU6 are suitably disposed on an arced table 52 or other arced supportthat partially encircles the OATC, so that the OATC has ready access toany of the six units.

VDU5 shows the home screen providing a functional diagram of the nuclearpower plant that highlights the heat sinking path and operational statusof functional blocks. VDU3 and VDU4 are control units that enable theoperator to control systems of the power plant. VDU3 is the system mimicdisplay and enables low level control of individual components, whileVDU4 is a procedures and components display that enables initiation ofprocedures performed by systems or groups of systems. The proceduresavailable to be performed are stored in a procedures database 54, andthe procedures and components display shows only those availableprocedures that can be safely performed given the current operationalstate of the nuclear power plant.

VDU2 shows data trends. VDU1 is an alarm display, and in someembodiments sorts alarms by both time-of-occurrence and by priority.VDU6 is an optional unit that displays non-safety related subjectmatter. In some multiple-reactor nuclear power plants, VDU6 displayscommon control functions that are shared by both reactors. The subjectmatter displayed on VDU6 may be under control of someone other than theOATC; additionally or alternatively, if the OATC does control subjectmatter shown on VDU6 then this is lower priority subject matter.

With reference to FIG. 2, the home display shown in VDU5 is presented.Each functional system of the illustrative nuclear power plant of FIG. 1is represented by a block or icon, e.g. a box with rounded corners inthe illustrative home screen of FIG. 2. Thus (and comparing with FIG.1), in the illustrative example: a block labeled “Fuel” represents thenuclear reactor core 1. A block labeled “Nuclear instrumentation”represents the in-core instruments (not shown in FIG. 1). A blocklabeled “Control rod drives” represents the complete control rod drivessystem including the illustrated CRDMs 6 with their motors 6 m and thecontrol rods and connecting elements, e.g., spiders, connecting rods(not shown in FIG. 1). A block labeled “Reactor coolant system”represents the reactor coolant system which includes the primary coolantwater and its containing pressure vessel 2 along with ancillarycomponents such as the RCPs 14 and the pressurizer 16, 17 that controlflow and pressure of the primary coolant. A block labeled “Containment”represents the function of the containment 22. For mnemonic purposes,the containment 22 is also diagrammatically indicated in the homedisplay, but this is optional. The block labeled “Containment”represents the containment in the functional sense, for example its rolein the heat sinking path Nuclear core→RCS→Containment→ . . . →(UHS orambient).

Further, a block labeled “Reactor coolant inventory” represents theReactor coolant inventory and purification system (RCIPS) as afunctional unit. A block labeled “Component cooling water” representsthe functional system that provides component cooling water to the RCIPSand other components. A block labeled “Chilled water” represents thechilled water supply. A block labeled “Emergency Core Cooling”represents the emergency core cooling system (EGGS). (None of thesecomponents are shown in FIG. 1.)

With continuing reference to FIG. 2 and compared with FIG. 1, a blocklabeled “Turbine” represents the turbine 26 as a system. A block labeled“Steam” represents the functional system that generates and conveyssteam from the nuclear reactor to the turbine. Thus, the block labeled“Steam” encompasses the steam generator 18, the steam pipe 24, andancillary valves. A block labeled “Generator” represents the electricalgenerator 28. A block labeled “Condenser” represents the condenser 32. Ablock labeled “Switchyard” represents the switchyard 30. The electricalsystems 40, 42, 44, 46 diagrammatically indicated in FIG. 1 arerepresented by corresponding blocks labeled “Medium voltage a.c. power”,“Low voltage a.c. power”, “d.c. power”, and “vital power”, respectively.

Additionally, the home screen of FIG. 2 includes a block labeled“Auxiliary a.c. power’ that represents the diesel generators and/orbatteries that provide emergency power if the generator 28 is notoperating. The home screen of FIG. 2 further includes blocks labeled“circulating water” that represents circulating water that provides thecold water flow for the condenser 32, and a “Turbine control” blockrepresenting control systems that control the turbine 26 and generator28. The home screen of FIG. 2 also includes a block labeled “Auxiliarycondenser” representing the auxiliary generator (AUX) of the proposedmPower™ small modular reactor, including the condenser itself andassociated cooling fans and control circuitry. (None of these componentsare shown in FIG. 1.)

It should be noted that the illustrative blocks of FIG. 2, which employtextual labels, could be otherwise labeled. For example, in someembodiments a system of three-letter acronyms is employed to labelblocks of the home screen, e.g. “CND”=“Condenser”, “RCS”=“Reactorcoolant system”, and so forth. It is also contemplated to employrepresentative symbolic icons, either instead of or in addition totextual or acronym labels.

The home screen displayed by VDU5 is a functional block diagramincluding the blocks representing functional systems as just described,along with arrows selectively connecting blocks. In the illustrativehome screen, there are two types of connecting arrows: solid arrows anddotted arrows. The solid arrows represent the heat sinking path of thenuclear power plant in its current operational state. That is, the solidconnecting arrows interconnect the displayed blocks that are providingthe current heat sinking path, and the directions of the solidconnecting arrows represent the direction of heat flow along the currentheat sinking path. The dotted arrows are optional, and if includedindicate other connections between the displayed functional blocks. FIG.2 shows the home screen during normal operation of the nuclear powerplant of FIG. 1. More generally, connecting arrows of a first type, e.g.solid connecting arrows, represent the current heat sinking path, andarrows of a second type (or of second and third types, et cetera), e.g.the dotted connecting arrows, connect blocks to represent otherfunctional associations between functional blocks but do not representthe current heat sinking path.

The normal operational heat sinking path in the form of the steam cycle:

-   -   Nuclear core→RCS→SC feedwater→SC steam→turbine→condenser        is represented by solid arrows in FIG. 2. Specifically, solid        arrows from “Nuclear instrumentation” to “Control rod drives”        and from “Control rod drives” to “Reactor coolant system”        represents the path portion Nuclear core→RCS. Explicit inclusion        of “Nuclear instrumentation” and “Control rod drives” in this        path portion allows for the home screen to highlight abnormal        operation of the reactor core, as indicated by the in-core        instruments, or of the control rod drives which control        reactivity of the core. In the home screen of FIG. 2, a solid        arrow from “Reactor coolant system” to “Steam” represents the        path portion RCS→SC feedwater→SC steam in which heat from the        reactor coolant system boils secondary coolant feedwater in the        steam generator 18. A solid arrow from “Steam” to “Turbine” and        from “Turbine” to “Generator” represents the path portion SC        steam→turbine in which the generated steam flows from the        nuclear reactor 1 to the turbine 26 via the steam pipe 24. (The        arrow from “Turbine” to “Generator” specifically denotes the        rejection of heat to the generator 28 in this path portion). A        solid arrow from “Turbine” to “Condenser” represents the path        portion turbine→condenser in which the steam flows from the        turbine 26 to the condenser 32 where it is condensed back to        form feedwater. An additional solid arrow in the home screen of        FIG. 2 running directly from “Turbine” to “Feedwater” represents        portion of steam that condense in the turbine 26 and is returned        to the feedwater system.

With continuing reference to FIG. 2, the dotted connecting arrowsindicate other operative connections between functional components thatare not directly part of the heat sinking path. For example, the dottedarrows from “Generator” to “Switchyard” and from “Generator” to “Mediumvoltage a.c. power” denote distribution of the electricity produced bythe electric generator 28. These functional connections are importantand hence are shown on the home screen to inform the OATC that theseconnections are in effect, but they do not directly impact the heatsinking.

As also seen in FIG. 2, certain functional blocks include numericannotations. For example, the “Reactor coolant system” block isannotated “2064 PSIG” indicating measured pressure of the primarycoolant water in the pressure vessel 2. The “Steam” block includes theannotation “840 PSIG” indicating the measured steam pressure. The“Turbine” block is annotated “100%” indicating the turbine is presentlyrunning at 100% capacity. The “Generator” block is annotated with thepresent electrical power output level “158 MWe”. The “Feedwater” blockis annotated with the measured feedwater temperature “325° F.”. The“Medium voltage a.c. power” and “Low voltage a.c. power” blocks areannotated with the current rms voltage levels “4176 VAC” and “483 VAC”,respectively. By providing these annotations on the home screen, theOATC is immediately aware of these parameters which are indicative ofthe current state of the corresponding annotated functional blocks.

With reference to FIG. 3, the home screen shown on VDU5 is presentedafter a failure of the condenser 32 and a consequential trip of theturbine 26 and shutoff of the electrical generator 28. The condenser isthe root cause of this abnormal operating condition, and so the“Condenser” block is highlighted by a first highlighting formatindicated in FIG. 3 by double-crosshatching. In practice, VDU5 ispreferably a color display and the “Condenser” block is preferablyhighlighted in red, as red is an attention-grabbing color, althoughother colors and/or a flashing display are also contemplated. Thus, theOATC immediately knows that the root cause of the abnormal conditionrelates to the condenser 32, although the specific mechanism of thecondenser failure is not apparent from the home screen. The “Turbine”block is shown with a different highlighting format, represented in FIG.3 by single-crosshatching. This highlighting, which may in practice be adifferent color (e.g. green) indicates to the OATC that this component(the turbine 26) is in an abnormal operating condition, but that thisabnormal operating condition was caused by something outside of theturbine 26 (namely, caused by the condenser failure in this example).Additionally, the illustrative reactor responds to this condition bybringing the auxiliary condenser online—accordingly, the “Auxiliarycondenser” block is highlighted by yet another highlighting format(indicated by wide single-crosshatching in FIG. 3, but in practicepreferably by yet another color, e.g. yellow). This third highlightingformat informs the OATC that the component is performing a remedialaction in accordance with its intended operation. The auxiliarycondenser is not in an abnormal operating state, but the fact that it isoperating is associated with an abnormal state. The “Auxiliary a.c.power” block is also highlighted by wide single-crosshatching,indicating powering of the fans of the auxiliary condenser system byauxiliary a.c. power (e.g. diesel generators and/or batteries). Thishighlighting informs the OATC that auxiliary a.c. power is active inaccordance with its intended operation.

Moreover, the solid arrows have changed to indicate the new heatsinkingpath, namely Nuclear core→RCS→Steam generator→AUX→ambient. The solidarrows connecting to the “Turbine”, “Condenser”, and “Feedwater” linesare removed as these components are no longer part of the heat sinkingpath. The solid arrow connecting “Reactor coolant system” to “Steam”remains so as to indicate the RCS→Steam generator path portion whichcontinues to operate, and new solid arrows are shown connecting the“Steam” block to the “Auxiliary condenser” block and connecting the“Auxiliary condenser” block to the “Reactor coolant system” block. Thesenew arrows represent steam flow from the steam generator to theauxiliary condenser (where heat is rejected to atmosphere) and from theauxiliary condenser back to the steam generator (where it is reheated bythe RCS).

The home screen of FIG. 3 informs the OATC that the condenser has failed(shown by double-crosshatching, e.g. red color, highlighting), and thatthe turbine has tripped (shown by single-crosshatching, e.g. greencolor, highlighting), and that the auxiliary condenser has been broughtonline (shown by wide single-crosshatching, e.g. yellow color,highlighting of both “Auxiliary condenser” and “Auxiliary a.c. power”blocks). Furthermore, the updated solid connecting arrows inform theOATC that a (new) safe heat sinking path is in operation, namely throughthe auxiliary condenser.

For simplicity, FIG. 3 does not include the block annotations shown inFIG. 2; however, they generally remain visible during abnormaloperation. In the state shown in FIG. 3, if the auxiliary condenser isunable to provide adequate heat sinking then the pressure annotation ofthe “Reactor coolant system” block will begin rising reflecting a risingprimary coolant pressure.

With reference to FIG. 4, the home screen is shown after the primarycoolant pressure has risen above a first threshold. This pressureviolation is indicated by applying the first highlighting format(double-crosshatching, e.g. red) to the “Reactor coolant system” block.Although this pressure violation is not technically a “root cause” of anabnormal state (the condenser failure is the root cause), it is not anexpected consequence of the condenser failure. Rather, in some instancesthe auxiliary condenser will provide adequate heat sinking and thepressure violation will not occur. The fact that the pressure violationhas occurred can therefore be thought of as a new or supplemental rootcause—it leads to the expected response of scramming the reactor, i.e.dropping the control rods to extinguish the nuclear chain reaction. Thisis indicated in the home screen by coloring the “Control rod drives”block with the second highlighting effect (single crosshatching, e.g.green). In an alternative embodiment, the “Control rod drives” block iscolored with the third highlighting (wide single-crosshatching, e.g.yellow) since the scram is a remedial action performed in accordancewith its intended operation. However, since scram is something that itis desired that the OATC immediately notices, using the more aggressivesecond highlighting effect, as illustrated in FIG. 4, is advantageous.

In the illustrated response sequence, the scram does not immediatelylead to bringing the ECCS online. In the illustrative reactor, it ishoped that by scramming and hence extinguishing the nuclear chainreaction, the auxiliary condenser may thereafter be able to handlerejection of the residual decay heat, so that the ECCS may not need tobe brought online. However, if the auxiliary condenser is not able tokeep up with the residual decay heat, then the primary coolant pressurewill continue to rise in the state shown in FIG. 4.

With reference to FIG. 5, the home screen is shown after the continuallyrising primary coolant pressure has risen above a second threshold thatis higher than the first threshold. This pressure violation is“supplemental” to the violation of the first threshold, so the “Reactorcoolant system” block merely remains with the first highlighting format(double-crosshatching, e.g. red). The ECCS is brought online responsiveto violation of the second pressure threshold, and this is indicated inFIG. 5 by coloring the “Emergency Core Cooling” block with the secondhighlighting effect (single crosshatching, e.g. green). Again, in analternative embodiment, the third highlighting (widesingle-crosshatching, e.g. yellow) could instead be used since the ECCSis performing a remedial action in accordance with its intendedoperation. Additionally, a new solid connecting arrow is added, runningfrom the “Reactor coolant system” block to the “Emergency Core Cooling”block. This solid arrow indicates activation of another heat sinkingpathway: Nuclear core→RCS→ECCS→UHS. Note that the illustrative homescreen does not include a functional block representing the UHS (i.e.ultimate heat sink). However, it is contemplated to include such afunctional block, in which case a further solid connecting arrow wouldsuitably run from the “Emergency Core Cooling” block to the UHS block.

In the illustrative example, the auxiliary condenser remains onlineafter the ECCS is brought online, and so the solid connecting arrowsindicating the heat sinking path involving the auxiliary condenserremain in FIG. 5. Alternatively, if the auxiliary condenser is takenoffline concurrently with bringing the ECCS online, then these arrowsfor the auxiliary condenser heat sinking path would be turned off inFIG. 5.

The sequence of FIGS. 2-5 illustrates how the home screen provides theOATC with a rapid and accurate assessment of the root cause of theproblem and its consequences.

With reference to FIG. 6, the alarm register display on VDU1 is shownfor the system in the state shown in FIG. 5. In other words, the alarmregister display of FIG. 6 is displayed on VDU1 concurrently with thedisplay of the home screen of FIG. 5 on VDU5. The illustrative alarmregister includes two sortable alarms lists: the list in the left windowshows alarms listed in reverse chronological order, that is, by reversetime sequence (with the most recent alarm on top; alternatively, thelist can be in chronological order, i.e. with the oldest alarm on top).The list in the right window shows the alarms ordered by priority. Thealarm register uses the same highlighting formats as are used in thehome screen. Thus, for example, the alarm indicating the condenser isoffline is in the first highlight format, e.g. in red color, as this isthe highest priority alarm. The alarm indicating turbine trip is in thesecond highlight format, e.g. in green color. The alarm indicatingauxiliary condenser online is in the third highlight format, e.g. inyellow color. And so forth. The (left-hand) list in reversechronological order is advantageous in tracing the sequence of events,while the (right-hand) list sorted by priority allows the OATC toidentify the most urgent alarms. To assist in tracing the alarm historyit is contemplated to label the alarms by time-of-occurrence in the lefthand reverse chronological view (time stamps not shown in FIG. 6). It isnoted that the (left-hand) list in chronological order includes two RCSoverpressure alarms—the first occurred when the RCS pressure exceededthe lower first threshold (triggering scram), and the second occurredwhen the RCS pressure exceeded the higher second threshold (triggeringplacement of the EGGS online). In the (right-hand) list by priority,only the second alarm (RCS pressure exceeding the second threshold) islisted, since this alarm subsumes the alarm for RCS pressure exceedingthe first threshold. In some embodiments, alarms are removed from the(right-hand) priority list when the underlying condition is remediated.It will be appreciated that the order of the lists can be reversed, i.e.the priority list can be on the left and the chronologically orderedlist on the right. It is also contemplated to provide operator controls(not shown) to allow the OATC to sort the alarms shown in the right-handwindow by various sorting criteria.

VDU1 has its screen split vertically into two alarm registries whichdisplay the same information, but in different formats. The left side ofthe display shows alarms chronologically organized, e.g. listed inreverse chronological order with the most recent alarm on top, andoptionally including time-stamps. In this example, sorting, filtering,and other visual manipulations disabled in the left-hand window, so thatthe OATC must view all alarms. The right side of the display showsalarms sorted by priority, with the highest priority alarms at the top.Optionally, the OATC has the ability to sort, filter, or re-arrangealarms in the right-hand window in order to display meaningful data tothe current task.

With reference to FIG. 7, an illustrative configuration for themulti-trend display on VDU2 is shown. The illustrative configurationemploys “hidden” windows that are operator-selectable using selectiontabs at the bottom of the view (suitably selected by touch if VDU2 is atouch-sensitive screen, or using a mouse pointer, or so forth). Theillustrative selection tabs include: “PWR”; “LOW PWR”; “EOP”; “SOP”;“REFUEL”; “START-UP”; and “SHUT-DOWN”. Additional or other tabs are alsocontemplated for different situations. The illustrative multi-trend viewincludes a relatively larger central window surrounded by relativelysmaller peripheral windows. For each view (corresponding to a selectedtab) the trends displayed in the various peripheral windows are in afixed arrangement. Thus, in the illustrative example, the “PWR” tab isselected and “Trend 4” is displayed in the upper right peripheralwindow. This is then done consistently—in the “PWR” view the upper rightperipheral window always displays “Trend 4”, and the operator cannotreorder the peripheral windows (e.g., using a drag-and-drop process). Inthis way, it is ensured that for a given tab (e.g. the “PWR” tab) theOATC always sees the same arrangement of trends in the multi-trenddisplay on VDU2. In this way, the OATC can gain familiarity with thislayout and, with experience, immediately knows that the upper rightperipheral window is displaying “Trend 4”. The relatively larger centralwindow, on the other hand, displays an operator-selected trend. Forexample, at the instant shown in FIG. 7 the larger central window isdisplaying “Trend 8”. Selection of the view to display in the centralwindow is suitably done by touch (for a touch-screen) or mouse selectionof the peripheral view. Thus, by clicking the mouse cursor on theperipheral window showing “Trend 8” the OATC can display “Trend 8” inthe central window (as shown). This allows the OATC to select aparticular trend for inspection in the central window, while stillseeing all of the other trends of that view in the peripheral windows.Note that in order to maintain the fixed pattern of peripheral windows,if no data is available for a given trend the corresponding peripheralwindow continues to be dedicated to that unavailable trend, as is theillustrative case for “Trend 9” in the lower left peripheral window ofFIG. 7.

In the illustrative example of FIG. 7, VDU2 can show up to twelvereal-time graphs in the peripheral window based on the current plantstate (additional or alternative to being based on an OATC-selected tabas in FIG. 7; also note that in the view shown in FIG. 7 only ten of thepossible twelve peripheral windows are being used to show trends withthe bottom rightmost two available peripheral window slots being unusedin the illustrative “PWR” view). Graphs are arranged around theperimeter of the screen with a blank center area, and the OATC canselect a graph to display in the center blank area. When a graph isdisplayed in the center, it is enlarged (while maintaining the aspectratio) to enhance visibility for the operator Graphs may contain one ormore trends. Each graph can zoom, pan, pause, display historical data,or so forth. The OATC optionally may choose to ‘stack’ multiple graphsin the center area, and stacked graphs are aligned by the x-axis (time)so that trends may be compared with respect to time. Tabs or buttons areoptionally displayed horizontally across the bottom of the screen (asper FIG. 7) to display the trends relative to that plant state. Themulti-trend display suitably defaults to the tab that corresponds withthe current plant state and display the graphs associated with that tab.

VDU3 shows a system mimic display. This display provides low-levelcontrol (e.g. of individual valves, switches, or so forth) for a givensystem. VDU3 employs “hidden” windows insofar as the OATC can select thesystem whose mimic is displayed. In some embodiments, this can be doneby touching (or mouse-clicking) the corresponding system block in thehome view of VDU5—for example, touching or mouse-clicking the “Turbine”block brings up a turbine control mimic on VDU3. To access lower-levelcomponents (e.g. a particular part of the turbine 26) a drill-downapproach can be performed on VDU3, e.g. by clicking on a part of theturbine mimic an enlarged view of the selected area is shown. Otherknown graphical user interface (GUI) navigation techniques canadditionally or alternatively be employed, such as having a set of tabsfor different components.

With reference to FIG. 8, an illustrative embodiment of VDU3, whichdisplays the system mimic, is shown. This screen displays a mimic 60 ofa current system (selected by the operator) in a simplified form. Mimicssuitably consist of components such as piping, valves, pumps, heatexchangers, tanks, et cetera. Graphical components of a mimic aresuitably drawn in diagrammatic form and extraneous information removedto increase salience of mission critical components. In one suitableconfiguration, the current system mimic is displayed in the center ofthe screen with narrow columns 62, 64 on far left side and right side,respectively, for navigation to interfacing systems, and navigation aidsare displayed in color corresponding to the current system state. Insome embodiments, a narrow row across the bottom of the screen containsnavigation aids 66 to sub-systems that support the current system. Thesesub-system mimics provide more detailed information about a specificcomponent or section of the mimic.

VDU4 displays provides an interface via which the OATC can select to runvarious pre-defined procedures stored in the procedures database 54.Each procedure has a defined operational space of primary coolantpressure, valve settings, and so forth within which the procedure isallowed to run, and VDU4 preferably displays only that sub-set ofprocedures that are allowed to run for the current state of the nuclearpower plant. In some embodiments, the list of procedures may be furtherrefined by selecting a particular system by touching or mouse-clickingthe block representing that system in the home view shown in VDU5. Otherknown GUI navigation techniques can additionally or alternatively beemployed to select the procedure. In some embodiments VDU3 and VDU4operate in concert, in that a given procedure that is running may stopto request that the OATC perform some low-level operation using VDU3. Insuch a case the executing procedure causes VDU3 to display theappropriate mimic via which the OATC can perform the low-leveloperation. Conversely, the procedure running on VDU4 may interlock VDU3so that the OATC cannot perform a dangerous low-level operation via VDU3during the procedure.

With reference to FIG. 9, an illustrative embodiment of VDU4, whichpresents the components/procedures display, is shown. In thisembodiment, the components/procedures display area is divided into threemain sections: (1) a live video feed 70; (2) component data 72; and (3)computer-based procedure 74.

The live video feed 70 is, in the illustrative embodiment of FIG. 9,located in the top right corner; and displays two live video feeds forthe current system selected (other numbers of live video feeds are alsocontemplated, e.g. one feed, two feeds, three feeds, et cetera, and thenumber may be selectable by the OATC, who also has controls for audio,video, play, pause, rewind, rotate, tilt, zoom).

The component data section 72 is suitably in the bottom right corner,and displays live data values for a selected component. Tabs 76 may bedisplayed horizontally across the bottom allow the OATC to select adifferent component and its associated data. Vertical tabs (not shown)inside the component live data view allow the OATC to select either atabular display of live data values or live data trends. Vertical tabsaligned to the right of the data display allow the OATC to select eithera tabular display of live data values, live data trends, or a componenttag task. Optionally, the component data section also allows the OATC toelectronically tag or untag components from this tag tab for tag-out,tag-caution, tag-test, and tag-maintenance. For example, when acomponent is tagged out, it is deemed unavailable by the control room.(For safety, such electronic tagging should be accompanied by physicaltagging of the actual component. Also, to ensure accuracy, the taggingoptions are only displayed for the current component state).

The computer-based procedure section 74 in the illustrative embodimentof FIG. 9 occupies the entire left side of the screen. A title at thetop of the screen designates the currently selected system, andapplicable tasks are listed for the current state of the system. TheOATC can select a task to perform and view the task steps required. Alltask steps are disabled until the OATC acknowledges the componentassociated with the current step on the system mimic screen shown onVDU3 (e.g. FIG. 10) by touching or mouse-clicking on the component inVDU3. After acknowledgement, the task step is enabled and performed. Theprocess is repeated with each step thereafter. The OATC has the optionof reverting to the previous stable condition of the system once a taskhas been selected or begun. The OATC can also “auto-complete” a task inthe event that attention is needed elsewhere. When a task is completed,the list of available system tasks reflects the new current state of thesystem. In another contemplated option, the OATC can touch or mous-clicka component in the system mimic screen of VDU3 to filter the task listfor only those which involve the selected component.

The home screen shown in VDU5 has been described with reference to FIGS.2-5, and provides high level indications of the plant status (exceptbalance-of-plant systems). Each system is represented as a roundedrectangle or other diagrammatic block and is arranged on the home screenaccording to the functional relationships with other blocks. Thefunctional system blocks indicate the state of the system through colorcoding, e.g. gray to indicate steady state, red to indicate alarm (i.e.,the first highlighting format of the example of FIGS. 3-5), yellow toindicate caution (i.e. the third highlighting format of the example ofFIGS. 3-5), and green to indicate expected responses (i.e. the secondhighlighting format of FIGS. 3-5). Relationships between the systems aredesignated by arrows, with arrowheads designating the direction of therelationship between the two systems connected (that is, input versusoutput). Input and output functional relationships between the systemsare determined based on the state of the plant and vary as the plantstate changes. While the example of FIGS. 2-5 employs textual labels forthe blocks, in another embodiment each system block is labeled with athree letter acronym for the system. System blocks provide navigation bya touch or mouse-click for the OATC to quickly view the system-levelmimic on the system mimic screen of VDU3.

Navigation links are provided between home screen (VDU1), computer basedProcedures screen (VDU4), and the system mimic screen (VDU3). The homescreen (VDU5) is used as a primary starting point for system-systemnavigation and provides the corresponding system mimic on the systemmimic screen (VDU3) and the applicable procedures and component data onthe computer-based procedure screen (VDU4). In some embodiments, thecomputer-based procedure screen (VDU4) is an end-point navigation path(i.e., no navigation paths out of VDU4 are provided in the human-machineinterface (HMI) design, only paths that drive information to bedisplayed on VDU4). The system mimic screen (VDU3) functions as atwo-way navigation path from system-to-system as well assystem-to-subsystem. The sortable alarm register screen (VDU1) and themulti-trend screen (VDU2) are each independent and provide no navigationto any other screen. System mimics (VDU3) reflect the actual response ofthe system or component from the action performed by the OATC. Controlfeedback that does not comply with the expected response of thecomponent/system is indicated through an alarm/warning condition on VDU1and VDU5.

In further regard to navigation, and with brief returning reference toFIGS. 2-5, it will be noted that all functional blocks are shown in allillustrative home views of FIGS. 2-5. This is true even when the systemcorresponding to a functional block is not operative, e.g. the“Switchyard” block represents the electrical switchyard which is offlinefor the examples of FIGS. 3-5—nonetheless, the “Switchyard” blockremains displayed (albeit with no connecting arrows). This is donebecause the home view is also a system selection tool. In the foregoingexample, although the switchyard is offline, the OATC might want to viewcertain information about the switchyard, and can select to do so bytouching or mouse-clicking the “Switchyard” block.

Various sequential action guidance approaches are contemplated.Auto-complete can be used when the current task needs to be completed,but another task takes higher priority for the attention of the OATC.Preferably, each task provides an option for the OATC to “undo” the tasksteps completed at any point and return the system to the previoussafe/stable state. The OATC also has the option of assuming manualcontrol of a component through the component faceplate control in thesystem mimic screen (VDU3). Computer-based procedures are displayed oncomputer-based procedure screen (VDU4), and control is directly drivenfrom the computer-based procedures. The available procedures are storedin the procedures database 54 (see FIG. 1), and only applicableprocedures for the current selected system are displayed for the currentplant mode and system status. A list of procedure titles is displayed aslinks to navigate to the procedure steps. The list of procedures isoptionally filtered by touching of mouse-clicking on a component on themimic screen (VDU3) to reduce procedure list to tasks that impact thatcomponent.

In a suitable embodiment of the procedures section of VDU4, all steps ofa procedure are visible from the time the procedure is selected until itis completed. Each step is inactive until the previous step iscompleted. A procedure step is disabled and cannot be performed untilthe OATC acknowledges the component receiving the action by touching ormouse-clicking on the component in the system mimic VDU3 (to improvesituational awareness). When a procedure step is enabled by clicking thecomponent in the system mimic, a checkbox or other selection (e.g. an“OK” button) beside the step on VDU4 is activated and the OATC is ableto “check” the box by touch or mouse-click and the action is performed.When a procedure is completed, the final procedure step is to return tothe system task menu.

As already mentioned, only applicable procedures for the currentselected system are displayed for the current plant mode and systemstatus. A procedure is selected by touching or mouse-clicking on theprocedure title, similar to selection of a hyperlink on a web page. Whena procedure is completed, the list of available procedures will beupdated to reflect the change in the system state from the previousprocedure completion.

Because the number of VDUs is relatively small, e.g. 5-7 VDUs in somepreferred embodiments, and 6 VDUs in the illustrative example, it isadvantageous to accommodate the possibility that a VDU may malfunctionand become inoperative. One approach is to have redundant VDUs on hand;however, it would take time to switch out a defective monitor with a newmonitor, and this may be unacceptable.

With reference to FIGS. 10 and 11, an approach for addressing aninoperative VDU is illustrated. In illustrative FIG. 10, VDU4 has failed(as indicated by the large “X” crossing out VDU4). VDU4 ordinarilydisplays the components/procedures display—its unavailability would be aserious problem. To resolve this problem, the functions of the variousVDUs shift, as shown in FIG. 11. Thus, VDU3 which formerly displayed themimic display now displays the components/procedures display. Similarly,VDU2 which formerly displayed the multi-trend display now displays themimic view. VDU1 which formerly displayed the alarms register nowdisplays the multi-trend display.

This leaves the alarms register, which has effectively “shifted off theend”. As seen in FIG. 11, this is accommodated by showing the alarmsregister on VDU6, which normally displays non-safety information orother “less important” information. To allow the OATC to still accessthat information, VDU6 also provides a command via which the OATC cantemporarily switch VDU6 to show the non-safety information. In theillustrative example of FIG. 11, this is done by pressing the <F1>function key, and a suitable instruction is shown at the bottom of thealarms register displayed on VDU6 in FIG. 11. Because displaying thealarms register is generally more important than displaying thenon-safety information, VDU6 is preferably programmed to “time out” thedisplay of the non-safety information and return to the alarm registerdisplay if the OATC does not interact with the non-safety display for acertain time interval. By way of illustrative example, the time-outperiod may be one minute, i.e. when <F1> is pressed the non-safetyscreen replaces the alarms register on VDU6, and thereafter if nofurther action is taken VDU6 switches back to the alarm register displayafter one minute has passed.

The defective monitor VDU4 is shown in FIG. 11 displaying the message“Display failure”. This (or a similarly informative) message isadvantageously displayed on the defective VDU if the VDU is indeedcapable of displaying a textual message. (Of course, if the defect ofthe defective VDU renders it incapable of displaying anything, thennothing is displayed on the defective VDU).

By the disclosed approach of shifting the VDU screens as perillustrative FIGS. 8 and 9, the OATC continues to see something close tothe usual arrangement of screens, with the exception that the alarmsregister is now on the rightmost VDU and VDU4 is blank. This isadvantageous since it reduces likelihood of operator confusion.

In order for the disclosed VDU shifting scheme to work, the VDUs shouldall have the user interfacing capability of the VDU with the mostcomplex user interface. For example, VDU1 may not ordinarily need userinput capability, since it ordinarily displays the alarms register (asin FIG. 8). However, when the VDU shift shown in FIG. 9 is executed,VDU1 then displays the mimic display, which does require user input(e.g., a touch screen, and/or a mouse, or so forth). Thus, all six VDUsshould have the same user interfacing capacity, and indeed arepreferably interchangeable.

In the illustrative example with six VDUs, failure of more than one VDUcannot be accommodated by the shifting scheme. However, if a seventhmonitor (e.g., a second non-safety related monitor) is added then up totwo defective monitors can be accommodated. If an eighth monitor isadded then up to three defective monitors can be accommodated. In someembodiments, the total number of VDUs is between 5 and 8. Additionally,it is contemplated to include a large (e.g. wall-mounted) overviewdisplay that is visible to the shift supervisor and other personnel inthe control room, and/or the shift supervisor may have an additionalmonitoring VDU via which the supervisor can monitor the OATC. Moreover,it is to be appreciated that while the illustrative embodiment includessix distinct VDUs, it is alternatively contemplated to employ a singlelarge-aspect ratio VDU spanning the display area of the illustrative sixVDUs, with the functionality of the six individual monitors beingprovided by six windows displayed on the large-aspect ratio monitor.Said another way, there does not need to be physical separation betweenthe display areas of VDU1-VDU6.

The disclosed control room embodiments include a reactor controlinterface that includes the illustrative VDU1-VDU6 (or some other numberof VDUs, e.g. in a range 5-8 VDUs) and a computer or other electronicdata processing device (not shown) in communication with electronic datanetworks and with VDU1-VDU6 and programmed to generate the discloseddisplays and to receive and process user inputs as described herein, andto send control signals to various components of the nuclear power plant(in accord with user inputs and/or in accord with automated proceduresdisplayed on VDU4 and executed by the computer or other electronic dataprocessing device). The computer or other electronic data processingdevice suitably includes or has access to a hard drive or otherelectronic storage medium that stores the procedures database 54 (seeFIG. 1).

The computer or other electronic data processing device optionallycomprises an interconnected plurality of computers or other electronicdata processing devices. For example, in one contemplated embodimenteach of VDU1-VDU6 comprises a desktop computer running softwareimplementing the control room. In this approach, the six desktopcomputers (in the illustrative case of six VDUs) are interconnected viathe electronic data network in order to perform intercommunicationbetween the VDUs as described herein. For example, the desktop computerimplementing VDU5 suitably communicates selection of a functional blockto VDU3 and VDU4 and in response the desktop computers implementingthose VDUs display the appropriate component mimic and procedures list,respectively. From the monitor shift example described with reference toFIGS. 10-11, it is apparent that the desktop computer normallyimplementing VDU3 (the system mimic) must also include software toimplement VDU4 (the procedures/components display), and so forth for theother desktop computers. To achieve maximum redundancy in thisembodiment, it is advantageous for each desktop computer to include theentirety of the control room software so that the monitor shiftdescribed with reference to FIGS. 10-11 can be performed. This alsoallows swap-out of desktop computers to permanently replace a defectiveVDU. Indeed, in one implementation of this approach, each desktopcomputer includes a VDU_type or other indicator as to which VDU thedesktop computer implements, and the VDU shift of FIGS. 10-11 thenamounts to updating the VDU_type values for the (illustrative six)desktop computers.

In another approach, the control room software executes on a centralcomputer not particularly associated with any of VDU1-VDU6, and thatcentral computer generates and transmits the displays to the six VDUswhich in this embodiment are “dumb” terminals.

In either illustrative embodiment (i.e., the embodiment employing sixinterconnected desktop computers; or, the embodiment employing a centralcomputer connected with six dumb terminals), the control room computeror interconnected computers are preferably connected with an electronicdata network with suitable security provisions. For example, theelectronic data network is preferably an isolated network that isconnected with the various components of the nuclear power plant inorder to receive alarm signals, send control signals, and so forth, butthat is preferably not (at least directly) connected with the Internetor other wider area network. If required by the applicable nuclearregulatory agency, the electronic data network may be an entirely wirednetwork; alternatively, if permissible under local nuclear regulationsit is contemplated to employ a wireless network or a hybridwired/wireless network.

The disclosed control room embodiments may also be embodied as anon-transitory storage medium storing instructions that are executableby the VDUs comprising a central computer controlling dumb terminals, oralternatively comprising a set of interconnected desktop computers, oralternatively comprising another suitable configuration of displaydevices and electronic data processing devices, to perform the disclosedcontrol room operations including displaying the various screens (e.g.the home screen, alarms register display, et cetera) and receiving userinputs as described. The non-transitory storage medium may, for example,comprise a hard disk, RAID disk array, or other magnetic storage medium,an optical disk or other optical storage medium, a FLASH memory or otherelectronic storage medium, various combinations thereof, or so forth.

Still further, it is to be appreciated that various disclosed aspects ofthe illustrative embodiments can be implemented without other disclosedaspects. For example, the disclosed home screen of VDU5 may beimplemented as described in the illustrative embodiments (or variantsthereof) while the control interfacing may be implemented usingtechniques other than the disclosed operation of VDU3 and VDU4.Similarly, the disclosed home screen of VDU5 may be implemented asdescribed in the illustrative embodiments (or variants thereof) whilethe alarm register and/or data trends are/is shown using a formatdifferent from that employed in described VDU1 and/or VDU2. As yetanother example, the disclosed control room screens (i.e., VDU1-VDU6)can be implemented without the VDU-switching capability described withreference to FIGS. 10-11. Conversely, the VDU-switching capabilitydescribed with reference to FIGS. 10-11 may be employed with a set ofVDUs displaying control room subject matter formatted differently thanthat described for VDU1-VDU6.

The preferred embodiments have been illustrated and described.Obviously, modifications and alterations will occur to others uponreading and understanding the preceding detailed description. It isintended that the invention be construed as including all suchmodifications and alterations insofar as they come within the scope ofthe appended claims or the equivalents thereof.

1. A method operating in conjunction with video display units (VDUs) ofa reactor control interface wherein the VDUs include a group of safetyVDUs and an additional VDU that is not a safety VDU, the methodcomprising: detecting a malfunctioning safety VDU, the remaining safetyVDUs being functioning safety VDUs; shifting the displays of thefunctioning safety VDUs to free up one of the functioning safety VDUswherein the shifting transfers the display of one of the functioningsafety VDUs to the additional VDU that is not a safety VDU; andtransferring the display of the malfunctioning safety VDU to thefunctioning safety VDU freed up by the shifting.
 2. The method of claim1 wherein the group of safety VDUs includes: a home screen VDUdisplaying a simplified diagrammatic representation of a nuclear powerplant; a mimic VDU displaying a mimic of a component of the nuclearpower plant; a procedures VDU displaying a stored procedure executableby the nuclear power plant; a multi-trend VDU displaying trends of dataacquired from the nuclear power plant; and an alarms VDU displaying alist of alarms generated by the nuclear power plant.
 3. The method ofclaim 1 wherein the group of safety VDUs includes at least three VDUs ofa group consisting of: a home screen VDU displaying a simplifieddiagrammatic representation of a nuclear power plant; a mimic VDUdisplaying a mimic of a component of the nuclear power plant; aprocedures VDU displaying a stored procedure executable by the nuclearpower plant; a multi-trend VDU displaying trends of data acquired fromthe nuclear power plant; and an alarms VDU displaying a list of alarmsgenerated by the nuclear power plant.
 4. A non-transitory storage mediumstoring instructions executable by an electronic data processing devicein communication with a video display unit (VDU) to perform a methodcomprising: displaying a home screen representing a nuclear power plant,the home screen including: blocks representing functional components ofthe nuclear power plant including at least (i) blocks representingfunctional components of a normal heat sinking path of the nuclear powerplant and (ii) blocks representing functional components of at least oneremedial heat sinking path of the nuclear power plant, and connectingarrows of a first type connecting blocks that are providing the currentheat sinking path wherein directions of the connecting arrows of thefirst type represent the direction of heat flow along the current heatsinking path; and in response to the nuclear power plant transitioningto a different heat sinking path, updating the connecting arrows of thefirst type by deleting and adding connecting arrows of the first type sothat the updated connecting arrows of the first type represent thedifferent heat sinking path.
 5. The non-transitory storage medium as setforth in claim 4 wherein the method further comprises: in response to amalfunctioning functional component of the nuclear power plant,highlighting the block representing the malfunctioning functionalcomponent using a highlighting format.
 6. The non-transitory storagemedium as set forth in claim 5 further comprising: selecting thehighlighting format for the malfunctioning functional component from agroup of different highlighting formats including at least: a firsthighlighting format that is selected if the malfunctioning functionalcomponent is the root cause of a of the nuclear power plant entering anabnormal operating condition, a second highlighting format that isselected if the malfunctioning functional component is not the rootcause of a of the nuclear power plant entering an abnormal operatingcondition.
 7. The non-transitory storage medium as set forth in claim 6further comprising: in response to a remedial functional componenttaking intended remedial action in response to a malfunctioningfunctional component, highlighting the block representing the remedialfunctional component using a third highlighting format that is differentfrom the first and second highlighting formats.
 8. The non-transitorystorage medium as set forth in claim 4 wherein the method furthercomprises: receiving a user selection of a block of the home screen; anddisplaying a mimic view of the functional component represented by theuser-selected block.
 9. The non-transitory storage medium as set forthin claim 4 wherein the method further comprises: receiving a userselection of a block of the home screen; and displaying a list of storedprocedures involving the user-selected block.
 10. The non-transitorystorage medium as set forth in claim 4 wherein the method furthercomprises: simultaneously displaying two side-by-side alarm listswherein one alarm list is by chronological or reverse chronologicalorder and the other alarm list is ordered by priority.
 11. Thenon-transitory storage medium as set forth in claim 10 wherein themethod further comprises reordering the alarms of the alarm list isordered by priority based on a user selection of a different orderingcriterion.
 12. The non-transitory storage medium as set forth in claim 4wherein the method further comprises: displaying a plurality of trendsof data acquired from the nuclear power plant in peripheral windows of amulti-trend display area; receiving a user selection of one of thetrends displayed in the peripheral windows of the multi-trend displayarea; and displaying the selected trend in a central window that islarger than the peripheral windows and that is surrounded by theperipheral windows.